hacking unpacked

bug bounty

Instacart is an American company that operates as a same-day grocery delivery service. Customers select groceries through a web application from various retailers and delivered by a personal shopper. As of 2017, Instacart only has operations and services in the United States. [1]

The login process from the ‘sign-in’ page required an OTP sent to the registered mobile. Tried to log in multiple times from the login page, surprising part was getting the same OTP every time.

In order to show the impact, the attack must be applicable to all accounts.

Obviously, the first attempt would be brute forcing the login form with known mobile number and as the verification code consists 5 digits. We can start from 00000 to 99999 but that didn’t work, got blocked by rate limit after certain attempts.

As it was a GET request, one can brute force the URL itself. Just brute force the code part for a known number in the URL

I have been doing bug bounties since September 2013(Asana was the first), participated and qualified in almost all bug bounties at least once. My bucket list had Facebook, Yahoo, Twitter, Dropbox, Github and 100+ such sites (including couple of YC Startups ) but Google VRP was tough nut to crack. I always wanted to start my bug bounty story with Google, but failed in past with few duplicates.

I was watching 2016 Google I/O, Firebase was the main focus. I had reported couple of security issues when they were quite young. Got a mini box full of stickers, bands and hot souces for my contribution.

“Cross-site request forgery, also known as one-click attack or session riding and abbreviated as CSRF (sometimes pronounced sea-surf) or XSRF, is a type of malicious exploit of a website where unauthorized commands are transmitted from a user that the website trusts.” – Wikipedia

CSRF is at 8th position in OWASP top 10 bug list. Usage of frameworks like Django, ROR reduces the risk of CSRF to a large extent but it is still there. Also, it is carried out from user’s IP address, website’s logs will have no evidence.

Examples of CSRF:

CSRF comes in all shape and sizes. Dangerous one can take over an account, minor one can destroy your session or log you out.

Every request that change state on server should have CSRF protection.

It can be an email change or addition of user details like a bank account.Continue reading →

I printed out my Asana task list of web app security testing,hopefully you’ll find it useful. OWASP 10 are the starting points of web testing, followed by other not so common issues.

Comments inside my task list are more helpful(provide various attack scenario and test cases) but Asana don’t export comments while printing, maybe I’ll write a proper short guide explaining all the points in future. Stay tuned on my twitter for further updates.

When I am not hunting I read about startups ,what’s happening in valley. I check their site , as a security guy I cannot control myself from checking their security. In the process , I came across this accounting web application (they are quite famous and making big bucks, I won’t take the name as they might get disturbed after this post. ) I was just testing for common bug XSS,CSRF and all regular stuff. Every field was vulnerable to XSS and every form was vulnerable to CSRF as token was not validating . Used Contact Us section from the site. Some non-technical lady replied “Thanks for contacting us , we don’t have any reward scheme or anything” . Let’s give it one more try, this time I used About US page, googled the name of the engineer , found his Github account and found his gmail there. He was really nice to me. Later we had Video chat on Skype , he was explaining me things ,asking me about my background.He was impressed. Following is a copy paste from the original POC that I sent back then 1. XSS:- javascript is not filtered ,hence any arbitrary javascript code can be executed. Hence with document.cookie , a user’s cookie can be stolen ,that can lead to full account take over. Continue reading →

later this year Github started bug bounty, earlier they used to send swags to bug reporters plus adding their name on Github security page.

Cracking bug bounty for main domain is really hard because of competition all around. And Like always, I will repeat your social friend’s newsfeed matters a lot in bug bounty .

I remember one of my facebook friend’s post “Easel.io is acquired by github “.

I was like

Although CJ does not effect the much functionality of the Easel but as a bug hunter it is my responsibility to report things. It depends upon vendor they accept the bug or not.

Well, they had just acquired the Easel and they considered CJ , as a result I got listed on their “Original Gangster” list and with some awesome swags .

well , CJ was still working for me :P.

Few days later I got bored . So thought to dig Easel.io again (that was my private swag mine). This time tamper data worked for me. There were CSRF tokens all over the application but those tokens were not getting validated on server side. This time the bug was critical and can take over any account by changing email using typical CSRF attacks (sorry can’t find the POC for this in my mail). I reported CSRF without any POC , Github’s security guys were smart enough to reproduce the CSRF. Guess what ! Another Github packet for me and this time I was on leaderboard (only Indian at that time 😛 ) with 500pts. Github created a special page for me (https://bounty.github.com/researchers/introvertmac.html).

Well that’s not the end, reported few more CSRFs(login) later this week. Easel was still my private swag mine till yesterday, they sent me this

17 sept is a special day for me . The day which made me officially highest earning family member 😛 . A year ago today Facebook paid me $5000 for two Clickjacking in their mobile site (m.facebook.com).

There is a quite interesting story behind this. I was into bug hunting from a long time but till 11 sept. I was struggling for my first bounty. You might I was not trying hard even I confess I never tried too hard in hunting till date.

But what I can say is your networks on your social accounts (Twitter,Facebook ) matters a lot. Even though they don’t share “how they do things” but they motivate you with the amount they get from bounties.

15 sept: One of my friend got $5000 from Facebook for some facebook group bug, I was jealous and motivated .Started digging ,found two CJ . One with facebook message (new thread) , other with facebook notes.

17 sept: Both Clickjacking got valid and Bang ..

$5000 is more than enough for CJ. Well, there might be some luck or fate. Thanks Adiya for sharing his tool.